Response to the Office Action of November 9, 2007 
Serial No. 10/733,326 



Amendments to the Claims: 

This listing of claims will replace all prior versions, and listings, of 
claims in the application. 

1. (currently amended) A method of secure session management for a web farm, 
the web farm including a first server and a second server, the second server having 
a requested web page, the method comprising the-steps-e#: 

receiving, at the first server, a request for the requested web page from a 
browser, said request including an encrypted session token; 

decrypting said encrypted session token at the first server to obtain a 
decrypted session token; 

redirecting said request to the second server, including transmitting said 
session token directly to the second server; and 

verifying said decrypted session token. 

2. (currently amended) The method claimed in claim 1, further including steps-of 
creating a new session token, encrypting said new session token at the second 
server to produce a new encrypted session token, and transmitting a response to 
said browser from the second server, wherein said response includes said new 
encrypted session token. 

3. (currently amended) The method claimed in claim 2, wherein said decrypted 
session token includes a session ID and a timestamp, and wherein said step of 
creating a new session token includes generating a new session ID and updating 
said timestamp. 

Page 2 of 17 



Response to the Office Action of November 9, 2007 
Serial No. 10/733,326 



4. (currently amended) The method claimed in claim 2, further including a-sfcep-ef 
updating a common session database by replacing said decrypted session token with 
said new session token in said common session database. 

5. (currently amended) The method claimed in claim 1, wherein said decrypted 
session token includes a session ID and a timestamp. 

6. (currently amended) The method claimed in claim 5, wherein a common session 
database contains a stored session ID and a stored timestamp, and wherein said 
step-ef-verifying includes comparing said session ID and said timestamp with said 
stored session ID and said stored timestamp. 

7. (currently amended) The method claimed in claim 5, further including a step of 
determining whether a session has timed out, said step of determining including 
determining an elapsed time between said timestamp and a current server time, 
and comparing said elapsed time with a predetermined maximum time to determine 
whether said session has timed out. 

8. (currently amended) The method claimed in claim 7, including a step of closing 
said session if said session has timed out. 

9. (currently amended) The method claimed in claim 1, wherein said step o f 
transmitting includes incorporating said decrypted session token into a URL. 

10. (currently amended) The method claimed in claim 1, wherein a session 
management web service performs said step of verifying, said session management 
web service being accessible to said first server and said second server, and wherein 
said step of -verifying includes comparing said decrypted session token with stored 
session data. 

11. (Original) The method claimed in claim 10, wherein the web farm further 
includes a common session database containing said stored session data. 
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12. (Original) The method claimed in claim 1, wherein said requested web page 
includes a web resource selected from the group including an applet, an HTML page, 
a Java server page, and an Active server page. 

13. (currently amended) A system for secure session management, the system 
being coupled to a network and receiving a request for a requested web page from a 
browser via the network, the request including an encrypted session token, the 
system comprising: 

a first server including a first request handler for receiving the request and 
decrypting the encrypted session token to produce a decrypted session token; 

a second server including the requested web page; 

a common session database including stored session data; and 

a session management web service, accessible to said first server and said 
second server and including a validation component for comparing said 
decrypted session token with said stored session data; 

whe r ein -said first request handler redirects adapted to redirect the request to 
said second server and fa^rsmfts- transmit the decrypted session token 
directly to said second server. 

14. (Original) The system claimed in claim 13, wherein said session management 
web service includes a token generator for creating a new session token for said 
second server, and wherein said second server includes a second request handler, 
said second request handler encrypting said new session token to produce a new 
encrypted session token and transmitting a response to said browser, wherein said 
response includes said new encrypted session token. 

15. (currently amended) The system claimed in claim 14, wherein said decrypted 
session token includes a session ID and a timestamp, and wherein said token 
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generator generates a new session ID, and updates said timestamp based upon a 
current server time. 

16. (currently amended) The system claimed in claim 14, wherein said session 
management web service replaces said decrypted session token within said common 
session database with said new session token. 

17. (currently amended) The system claimed in claim 13, wherein said decrypted 
session token includes a session ID and a timestamp. 

18. (Original) The system claimed in claim 17, wherein said stored session data 
includes a stored session ID and a stored timestamp, and wherein said validation 
component compares said session ID and said timestamp with said stored session 
ID and said stored timestamp. 

19. (Original) The system claimed in claim 17, wherein said validation component 
further determines an elapsed time between said timestamp and a current server 
time, and compares said elapsed time with a predetermined maximum time to 
determine whether a session has timed out. 

20. (Original) The system claimed in claim 19, wherein said session management 
web service closes said session if said validation component indicates said session 
has timed out. 

21. (currently amended) The system claimed in claim 13, wherein said first request 
handler incorporates said decrypted session token into a URL in order to transmit 
said session token to said second server. 

22. (Original) The system claimed in claim 13, wherein the requested web page 
includes a web resource selected from the group including an applet, an HTML page, 
a Java server page, and an Active server page. 
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23. (currently amended) A computer program product having a computer-readable 
medium tangibly embodying computer executable instructions for secure session 
management for a web farm, the web farm including a first server and a second 
server, the second server having a requested web page, the computer executable 
instructions including of: 

computer executable instructions for receiving, at the first server, a request 
for the requested web page from a browser, said request including an 
encrypted session token; 

computer executable instructions for decrypting said encrypted session token 
at the first server to obtain a decrypted session token; 

computer executable instructions for redirecting said request to the second 
server, including computer executable instructions for transmitting said 
decrypted session token directly to the second server; and 

computer executable instructions for verifying said decrypted session token. 

24. (Original) The computer program product claimed in claim 23, further including 
computer executable instructions for creating a new session token, encrypting said 
new session token at the second server to produce a new encrypted session token, 
and transmitting a response to said browser from the second server, wherein said 
response includes said new encrypted session token. 

25. (currently amended) The computer program product claimed in claim 24, 
wherein said decrypted session token includes a session ID and a timestamp, and 
wherein said computer executable instructions for creating a new session token 
include computer executable instructions for generating a new session ID and 
updating said timestamp. 
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26. (currently amended) The computer program product claimed in claim 24, further- 
including computer executable instructions for updating a common session database 
by replacing said decrypted session token with said new session token in said 
common session database. 

27. (currently amended) The computer program product claimed in claim 23, 
wherein said decrypted session token includes a session ID and a timestamp. 

28. (Original) The computer program product claimed in claim 27, wherein a 
common session database contains a stored session ID and a stored timestamp, and 
wherein said computer executable instructions for verifying include computer 
executable instructions for comparing said session ID and said timestamp with said 
stored session ID and said stored timestamp. 

29. (Original) The computer program product claimed in claim 27, further including 
computer executable instructions for determining whether a session has timed out, 
said computer executable instructions for determining including computer 
executable instructions for determining an elapsed time between said timestamp 
and a current server time, and comparing said elapsed time with a predetermined 
maximum time to determine whether said session has timed out. 

30. (Original) The computer program product claimed in claim 29, including 
computer executable instructions for closing said session if said session has timed 

out. 

31. (currently amended) The computer program product claimed in claim 23, 
wherein said computer executable instructions for transmitting include computer 
executable instructions for incorporating said decrypted session token into a URL. 

32. (currently amended) The computer program product claimed in claim 23, 
wherein said computer executable instructions for verifying comprise a session 
management web service, said session management web service being accessible to 
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said first server and said second server, and wherein said computer executable 
instructions for verifying include computer executable instructions for comparing 
said decrypted session token with stored session data. 

33. (Original) The computer program product claimed in claim 32, wherein the web 
farm further includes a common session database containing said stored session 
data. 

34. (Original) The computer program product claimed in claim 23, wherein said 
requested web page includes a web resource selected from the group including an 
applet, an HTML page, a Java server page, and an Active server page. 
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